In a current case i'm trying to find files relating to a specific email address, lets say email@email.com. The OS is XP. When i keyword search with FTK i get 24 hits in 8 files, 6 of these files are registry files e.g
"[REGISTRY_USER_NTUSER……]" then the directory followed by "system volume information \_restore" then more parenthesis with numerical values in and then the text "\snapshot".
When i click to view the hits in these files FTK shows the following
"opens an email program so you can send or read a message.
c\Program files\Windows Media Player\wmplayer.exe
Windows Media Player
email@email.com
SP2QFE
SP2QFE
ntel
1 ix stor
xeMRUListEx"
there is more info than this but i don't know how to interpret it or where it starts to become unrelated.
Can anyone tell me why this data is in this location on the machine and what it means? Its only in this context in these files and in 2 locations in unallocated space that the email appears to be on the machine.
Thanks for any help or advice.
Add0
Has anyone got any idea? This is strange i don't understand why the email address appears in this location..
Thanks
In a current case i'm trying to find files relating to a specific email address, lets say email@email.com. The OS is XP. When i keyword search with FTK i get 24 hits in 8 files, 6 of these files are registry files e.g
"[REGISTRY_USER_NTUSER……]" then the directory followed by "system volume information \_restore" then more parenthesis with numerical values in and then the text "\snapshot".
This appears to be an NTUSER.DAT file located in an XP Restore Point. Why not extract that file from the image via FTK, and then load the hive into RegEdit and perform your search that way?
When i click to view the hits in these files FTK shows the following
"opens an email program so you can send or read a message.
c\Program files\Windows Media Player\wmplayer.exe
Windows Media Player
email@email.com
SP2QFE
SP2QFE
ntel
1 ix stor
xeMRUListEx"
None of this really means anything, as there is no context. FTK performs the search across the entire binary contents of the file…you should consider focusing your search.
there is more info than this but i don't know how to interpret it or where it starts to become unrelated.
Can anyone tell me why this data is in this location on the machine and what it means?
Nope. The location appears to be a Registry file…but without additional context (ie, the specific key(s) in which the email address is located), there really isn't much that can be provided.
good luck
H